1. Field of the Invention
The present invention relates generally to a computer implemented method, data processing system, and computer program product for delegating authorization to access data processing system features. More specifically, the present invention relates to associate roles having bundles of authorizations with console roles.
2. Description of the Related Art
Multi-user computer systems compartmentalize authority among users according to a system manager's assignment of job duties to subordinate system administrators. System administrators are permitted access to system features according to their status in an organization and job description.
To permit a computer to authenticate a user, data processing systems may challenge a user to provide a login name and a password. Once a matching login name and password, previously known in the data processing system, is entered, a user is considered logged in or engaged in a user session. A user then interacts with the data processing system by entering commands or accessing features. However, a system that has a data structure of authorizations that correspond to the user session can screen these commands or feature accesses against a list of authorizations assigned to the user. Commands that are found in this data structure are allowed and processed, while commands that are not found in this data structure can be rejected or otherwise disallowed.
Data processing systems that provide high functionality from a command line enable an administrator to establish and maintain a database of authorizations bundled in a data structure called a role. An administrative user login is a set of credentials provided by a system administrator. The set of credentials may include a user name and a password. The administrative user login can be for a root user. This user has the authority to delegate authorizations to other user logins. In addition, the administrative user login can authorize other users to themselves delegate authorizations.
An authorization is a key that enables a function for use by a user within a data processing system. The authorization may be grouped with other authorizations to form, collectively, a role. A role is one or more authorizations in combination. Authorization may be assigned from one user to a second user. Depending on the data processing system, an authorization may be assigned to a user by assigning a role to the user, where the role includes the authorization. Examples of some authorizations that may be assigned to a user include an authorization “aix.security.user.remove” to use “rmusef”, an AIX® command or Advanced Interactive eXecutive command to remove a user specified on the command line. AIX® is a trademark of International Business Machines Corporation in the United States, other countries or both. A second example is an authorization “aix.security.user.change” to use “chuser” an AIX command to change attributes of a user specified on the command line. One of the attributes of the user is the roles assigned to the user. The command “chuser” is used to remove roles from a user or add roles to a user. Since a role is a collection of authorizations, removing a role from a user through “chuser” command actually removes one or more authorizations from the user.
Other operating systems may bundle authorizations according to operating system native roles. The authorizations, so bundled, are called operating system native authorizations. An operating system native role is a data structure that bundles two or more authorizations of an operating system into a single named role, such that the role may be assigned to a user based on user identifier or user name. An operating system native authorization can be, for example, an AIX authorization.
A challenge faced by system administrators in such systems is that operating system native roles are not bundled together to a matching console role. Accordingly, benefits of navigating management tasks may not accrue without significant manual labor by the system manager to define console roles in a manner that relies on operating system native roles.